# Secureum X Diligence bootcamp (November 3–9, 2022) ## Schedule ### Day 1 (November 3, 2022) - **course kick-off and intro lecture to Scribble (14:30-15:15 CET on [Google Meet](meet.google.com/cbf-pvku-yfg))** 1) introduce course website with exercises, resources, etc. 2) provides an overview of Scribble and key language features 3) introduces initial Scribble exercises ### Day 2 (November 4 2022) - **advanced Scribble lecture (14:30-15:15 CET)** 1) introduces more advanced Scribble features (e.g., if_updated, quantifiers, and assert/let) 2) introduces additional Scribble exercises - **office hour (15:15-16:15 CET)**: get help with Scribble exercises and discuss solutions ### Day 3 (November 7, 2022) - **intro lecture to Diligence Fuzzing (14:30-15:15 CET)** 1) provides an overview of DF and shows how to fuzz a simple contract 2) introduces initial DF exercises - **office hour (15:15-16:15 CET)**: get help with Scribble/DF exercises and discuss solutions ### Day 4 (November 8, 2022) - **advanced Diligence Fuzzing lecture (14:30-15:15 CET)** 1) introduces more advanced DF features (e.g., fuzzing lessons) 2) provides an overview of what's going on under the hood in our Harvey fuzzer 3) introduces additional fuzzing exercises - **office hour (15:15-16:15 CET)**: get help with Scribble/DF exercises and discuss solutions ### Day 5 (November 9, 2022) - **office hour (15:15-16:15 CET)**: get help with Scribble/DF exercises and discuss solutions ## Open Questions ### Q1: Do we want more lectures? Suggestion: add a separate deep-dive lecture just focused on Scribble ### Q2: What concrete exercises do we want? #### Lecture 1 (L1) - during lecture: + token transfer (if_succeeds) - as homework: + token transfer (if_succeeds), they write tests + [X] some exercise for invariants, they write tests #### Lecture 2 (L2) - during lecture: + [X] quantifiers over arrays + [X] if_updated/if_assigned (perhaps as an alternative to quantifiers) + [X] assert/let (batch transfer) - as homework: + [X] exercise combining quantifiers, if_updated, and assert/let (simple OZ contract and 1-2 very specific properties that we provide in natural language, they write tests) + [X] more open-ended exercise (take one of 2-3 OZ contracts that we suggest and specify a bunch of properties): * ERC20 (https://docs.openzeppelin.com/contracts/4.x/erc20) * ERC20Votes (https://docs.openzeppelin.com/contracts/4.x/api/token/erc20#ERC20Votes) * ERC20FlashMint (https://docs.openzeppelin.com/contracts/4.x/api/token/erc20#ERC20FlashMint) * ERC721 (https://docs.openzeppelin.com/contracts/4.x/erc721) * Ownable (https://docs.openzeppelin.com/contracts/4.x/api/access#Ownable) * Escrow (https://docs.openzeppelin.com/contracts/4.x/api/utils#Escrow) * Crowdsale (https://docs.openzeppelin.com/contracts/2.x/api/crowdsale#Crowdsale) * VestingWallet (https://docs.openzeppelin.com/contracts/4.x/api/finance#VestingWallet) #### Lecture 3 (L3) - during lecture: + token transfer (if_succeeds) - as homework: + token transfer (if_succeeds) + [ ] fuzz open-ended exercise from L2, possibly fix properties, and keep track of properties that are not reached #### Lecture 4 (L4) - during lecture: + fuzzing lessons exercise (docs) + [X] mutation testing exercise (transfer) + [ ] harness exercise? - as homework + [ ] some exercise (ABI decode bytes to array of structs, harness, Uniswap that is not under test) + [ ] set up fuzzing campaign for open-ended exercise from L2/L3 and make sure all properties hold + [ ] repeatedly evaluate and refine the properties by introducing bugs and checking if they are detected by the fuzzer (maybe let a "buddy" introduce the bugs) ### Q3: Who covers what? - Dimo: lectures 1 and 2 - Joran: lecture 3 - Valentin: lecture 4 - Office hours: Dimo & Valentin ### Q4: Should we set up a repo with all the content that we can share with participants? Yes, the repo is at https://github.com/ConsenSys/secureum-diligence-bootcamp/blob/main/readme.md. - Exercises (in separate folders with readme and code) - Links to other resources and educational material (docs, tutorials, and videos) ### Q5: What should we cover in the deep dives? - Ideas for Scribble topics (30-45 min possibly on day 2) + quantifiers + #if_updated + #if_assigned + #assert and #let - Ideas for DF topics (30 min on day 3) + Debug cycle and fuzzing lessons + Mutation testing to identify issues with properties or fuzzer setup + Harness contracts to artificially limit the state space + Differential fuzzing + Harvey under the hood + #try and #require + cheat codes ### Q6: Should we have a leaderboard/prices? Let's not do it this time. ### Q7: How do we sign up participants to DF Let's check with Joran and Joao. ### Q8: At what time should the lectures and office hours be? It seems like all of us will be in Europe. #### Answer from Rajeev We will set up a private channel for Diligence on the Secureum Discord server and invite the Top 16 selected participants to that channel once we have the RACE-11 results ready by 31 October. We can share the pre-work videos and any previous tutorials on that channel by 31 Oct. We will have a kick-off introductory call on 3 Nov (at a convenient CEST time), invite everyone who can join, and later share that recording on that channel for others. We can poll the participants for their timezones once we have the Top 16 which will help spread out your in-person office hours over the 5 days. ### Q9: I assume we record the lectures. Should we also record the office hours? Yes, let's record the lectures, but not the office hours. ### Q10: How do we communicate with the participants? Discord? Yes, Discord. **Rajeev:** We will set up a private channel for Diligence on the Secureum Discord server and invite the Top 16 selected participants to that channel once we have the RACE-11 results ready by 31 October. ### Q11: What should be covered in the intro lecture for DF? Let's check with Joran. ### Q12: Will we use Zoom for the lectures? No **Rajeev:** I will help set up those calls on Google Meet.